White hat gray hat black hat – what’s the difference?

In computer security circles, you’ll hear the words white hat gray hat black hat thrown around a lot. Everyone just assumes you know what they mean. If you’re unsure about it, here’s what the terms mean, and what the difference is.

What is a hacker?

The word hacker is a pretty loaded term. When I asked my boss if I could go to my son’s career day at school, he said yes. “My son’s teacher really wanted to talk to me when she found out I was a hacker,” he said.

We certainly get portrayed in popular media in much the same way as a wizard or a warlock, and often with just as much misunderstanding. Our laws reflect that misunderstanding.

Mainly, hacking comes down to curiosity about how things work, whether by design or not. It’s not all that different from the hot rod culture that emerged after World War II, making modifications to a car to make it go faster. Computers just have more room for modifications and unintended consequences. Hacking is a mindset.

It really does just start off as simple as wondering what happens when the computer asks me for my phone number and I type my name in instead. What will the computer do if type in letters where numbers belong? What if I leave it blank? By entering something the computer doesn’t expect, you might be able to make the computer do something it wasn’t supposed to do.

White hat gray hat black hat is all about what you do when you enter something other than a phone number, and the computer does something other than politely tell you that’s not a valid phone number and please try again.

White hat hackers

A “white hat,” or a security professional who has never, ever crossed the line and done something questionable, probably can’t help you as much as one who has.

These are the good guys. A white hat hacker knows a few things about computer security but never uses that knowledge for evil. By some standards, these are the only good hackers. By other standards, they aren’t good. A pure white hat who’s never done anything remotely wrong, some will argue, is useless.

There can be a fine line between the white hat and the gray hat.

I’ll give you an example. Several years ago, my management handed me two files and a directive. They wanted me to steal the files, then tell them how I did it. I stole them, and nobody had any idea I’d stolen them. Then I told them, in painstaking detail, how I did it.

Am I still a white hat? Some will say yes, because I had permission. Some will say no, because stealing is stealing. I don’t really care which you say I am. The most important thing is that I made you ask the question. A white hat who doesn’t make you ask the question is less useful.

Gray hat hackers

Gray hat hackers cross the line and might do some questionable stuff. The most controversial gray hats sell security information to governments, not necessarily knowing what they’re going to do with the information.

Every religion or philosophy on life acknowledges that all people have some good and some bad in them. Some people are exceptionally good. Some people are exceptionally bad. I’m sure some names come to mind. Most of us are somewhere in between. Those are the gray hats.

Why do you want a gray hat who is mostly good? Let me tell you another story.

About a year ago, a radio talk show host asked me how hard it is to hack someone. So I told him how I would go about hacking him, if I was going to do it. I prefaced it by saying I’d never do these things, but if I were going to, here’s how. And by the end, the intern was looking at me as if she was wondering why I’m not in jail.

I probably scared a lot of people. But that’s my job. I’m effective in my field of vulnerability management because when someone says, “I know that patch is two years old, but nothing bad has happened, so I’m not going to apply that,” I can answer that.

The ideal security person ought to scare you a bit.

Black hat hackers

Black hat hackers are the bad guys. They break laws and hurt people, and unlike some gray hats who break laws but have arguably good intentions, the black hats don’t have good intentions. They’re out for themselves.

Sometimes it’s hard to know where to draw the line. When a hacker is motivated by political activism, your view may depend on how far that hacker’s views are from your own. For that reason I’m more willing to call “hacktivists” gray hats.

I once worked with a guy who dabbled in black-hat stuff after hours. Once his coworkers didn’t trust him, he didn’t last long.

That’s the problem with black hats: trust. Sometimes people grow out of it, clean up their ways, and become productive security professionals. But if you get the sense that someone isn’t trustworthy, don’t hire them and give them access to your building and your computer network.

Someone who’s been to the dark side and back can be useful. Just make sure they’re all the way back.

White hat gray hat black hat

Several years ago, a coworker asked me what kept me from using my skills and knowledge to do black-hat things. The first reason, of course, is morals. I’m not supposed to be willfully doing things that mean profiting off hurting people. Every moral code I’ve ever seen agrees on that.

But moral code aside, black hat hackers tend to have short careers. Why have a short career that ends with going to jail when you can have a long career, make a good living, and end that career on your own terms?